Suppressions done right
Skip with a reason, not blindly.
No scanner is right 100% of the time — some findings are false positives, some are accepted risks, some do not apply to a specific resource. Suppressions are how you handle those, and doing them right is the difference between a trusted gate and a muted one. The best practice is an inline skip comment on the specific resource, naming the exact check and a reason, so the exception is visible in code review and travels with the resource.
resource "aws_s3_bucket" "public_assets" {bucket = "acme-public-web-assets"# checkov:skip=CKV_AWS_20:This bucket intentionally serves public static assets (approved: TICKET-482)}
Scope suppressions tightly
The inline skip is scoped to one resource and one check — exactly what you want. Avoid the blunt instruments: --skip-check applied globally, or blanket config that disables a check everywhere, hides that check for resources that genuinely violate it. When a check is wrong for your whole org, prefer adjusting policy centrally with a reviewed decision rather than a repo-wide skip. Every suppression should answer “why is this safe here?” in the code.
# blunt (avoid as a habit): skip a check everywhere$ checkov -d . --skip-check CKV_AWS_20# better: inline, scoped, documented — the skip lives with the resource and reason